Overview
This guide demonstrates how to test long-lived sessions for proxy app type user flows using the with the new offline option in Entra ID and OIDC Identity Fabric. The test validates that user attribute changes trigger appropriate authorization decisions during active sessions, ensuring that policy rules are enforced dynamically.
Purpose
Verify that when user attributes change during an active session, the Maverics platform correctly updates headers, revokes or grants access based on updated policy evaluations, rather than relying solely on initial authentication attributes. This ensures continuous security enforcement in long-lived sessions.
Prerequisites
Before beginning this test, ensure you have:
Maverics Orchestrator deployed and running
Admin access to Entra ID or OIDC based Identity Provider with the priveledge to modify a test user properties
A test proxy application configured
Test Procedure
Step 1: Configure the Entra ID OIDC or Generic OIDC Identity Fabric
Set up your test configuration with the following parameters:
Identity Fabric Configuration:
Configure Entra ID or an OIDC based identity provider
Enable offline access capability
Proxy User Flow Policy Configuration:
Create an Access policy for a location in your proxy app.
Set the Authentication policy to use your Entra ID or OIDC fabric
Set the Authorization policy to Use rule to define access
Set rule to grants access when a specific value for an attribute will be on the Entra session. (eg. the user's first_name equals
Allan)Set the policy duration lifetime to 10 seconds (for testing purposes)
Publish your Deployment
Deploy and Test
This will a take little over an about an hour given Entra ID's minimum access token lifetime refresh interval is 1 hour.
Access your proxy application
Sign in using Entra ID credentials (using a test user)
Verify successful authentication and session establishment by clicking around your app
Step 3: Modify User Attributes
While the session remains active:
Navigate to Entra ID user management
Locate the test user and edit the properties
Change the attribute used in the policy decision (e.g. user's first_name)
Save the attribute changes
Note the time of modification
Note: This attribute change should trigger the policy rule to deny access since the first name no longer matches "Allen".
Step 4: Wait for Token Refresh then verify Authorization Enforcement
Wait for one hour to allow the access token to refresh
During this period, the session will continue using the existing token
After the one-hour waiting period:
Attempt to access the proxy application with the existing session
To verify that the updated user attributes have been retrieved, confirm that access is denied based on the policy rule
You can also check Orchestrator logs to verify policy evaluation occurred with updated attributes
Expected Result: Access should be denied because the user's name no longer satisfies the policy rule.
Important Considerations
⚠️ Critical Test Requirements:
User attributes must be changed while the session is still active to properly test dynamic authorization
The test user must have an active session before attribute modification
Entra ID enforces a minimum one-hour access token refresh rate - this cannot be shortened
⚠️ Configuration Notes:
The 10-second policy duration is for testing purposes only
Production environments should use appropriate policy duration values based on security requirements
Ensure offline is configured in your Entra ID or OIDC based identity fabric
Reference
Video Walkthrough:
Loom Recording - Testing Long-Lived Sessions
Securing Long Lived Sessions Tutorial
Related Documentation:
Troubleshooting
If the test does not produce expected results:
Session not terminating after attribute change
Verify the policy duration has elapsed
Confirm the token refresh has occurred (check Orchestrator logs)
Access still granted with changed attributes
Verify the policy rule syntax is correct
Check that the attribute name matches exactly in the policy
Confirm the OIDC connector is retrieving updated user info during token refresh